Obfuscation Revealed - Leveraging Electromagnetic Emanations for IoT Malware Classification
Hardwear.io USA 2022, 6th - 10th June 2022 Santa Clara, CA
, DUY-PHUC PHAM & ANNELIE HEUSER
Research about IoT malware and tools developed for automated IoT malware classification are limited. IoT and embedded technologies use numerous customized firmware and hardware, without taking into consideration security issues, which make them an attractive attack surface for cybercriminals, especially malware authors. Various types of state-of-the-art malware on Microsoft Windows took decades from the first known malicious software to happen in the wild, now start emerging on IoT devices in a shorter time.
We present a novel, robust and promissing approach of leveraging electromagnetic emanations to identify the kinds of malware that are targeting the Raspberry Pi device. Using our approach, malware analysts can obtain accurate information about the type and identity of IoT malware, even with obfuscation techniques that can prevent static and symbolic binary analysis. We recorded traces of more than 100K measurements from IoT devices infected with various malware samples and realistic benign activity. Our method allows deployment independent of available resources with no overhead. Moreover, our approach has the advantage that malware authors are less likely to detect and bypass. In our experiments, we were able to predict three common types of malware vs. benign activities with 99.82% accuracy.
Mac-A-Mal An Automated Platform for Mac Malware Hunting
Blackhat Asia 2018
As Mac systems grow in popularity, so does macOS malware - whilst macOS malware analysis is still lagging behind - particularly when we deal with malicious behaviors in the user space. To amend this shortcoming, we have come up with macOS analyzer for malware – Mac-A-Mal: a system for behavioral monitoring of components at kernel level which allows analysts to automatically investigate malware on macOS, broadly extending what is available today with Cuckoo sandbox. Full Abstract & Presentation Materials
When Electromagnetic Signals Reveal Obfuscated Malware-Deep and Machine Learning Use cases
SemSecuElec, DGA-MI. October 22, 2021
The Internet of Things (IoT) is constituted of devices that are expo-nentially growing in number and in complexity. They use plentiful customized firmware and hardware, ignoring potential security issues, which make them a perfect victim for cybercriminals, especially malware authors. We described a new usage of side channel information to identify threats that are targeting the device. Using our approach, a malware analyst is able to accuracy know about malware type and identity, even in the presence of obfuscation techniques which may avoid static or symbolic binary analysis. We captured 100,000 leakage traces from an IoT device infected by a miscellaneous and representative in-the-wild malware samples and realistic benign activity. Our technique does not need to modify the target device. Thus, it can be deployed independently from the resources available without any overhead. Moreover, our approach has the advantage that it can hardly be detected and evaded by the malware authors. In our experiments, we were able to classify three generic malware types (and one benign class) with an accuracy of 99.82%. Even more, we show that our solution permits to classify altered malware samples with unseen obfuscation techniques during the training phase, and to determine what kind of obfuscations were applied to the binary, which makes our approach particularly useful for malware analysts. Video
Obfuscation defeated - Leveraging electromagnetic signals for malware classification with Deep learning
GDR Hands-on Machine Learning for Security, Sep 2021.
Electromagnetic Side-Channel Analysis for Obfuscated Malware classification
Israeli Conference on Hardware and Side-Channel Attacks (ICHSA) 2021